diff --git a/internal/graphql/forgot_password.go b/internal/graphql/forgot_password.go
index dbd25e8f..2cd53f37 100644
--- a/internal/graphql/forgot_password.go
+++ b/internal/graphql/forgot_password.go
@@ -77,7 +77,7 @@ func (g *graphqlProvider) ForgotPassword(ctx context.Context, params *model.Forg
// give higher preference to params redirect uri
if strings.TrimSpace(refs.StringValue(params.RedirectURI)) != "" {
redirectURI = refs.StringValue(params.RedirectURI)
- if !validators.IsValidOrigin(redirectURI, g.Config.AllowedOrigins) {
+ if !validators.IsValidRedirectURI(redirectURI, g.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI")
return nil, fmt.Errorf("invalid redirect URI")
}
diff --git a/internal/graphql/invite_members.go b/internal/graphql/invite_members.go
index 1f4dfd35..7fcb185a 100644
--- a/internal/graphql/invite_members.go
+++ b/internal/graphql/invite_members.go
@@ -90,7 +90,7 @@ func (g *graphqlProvider) InviteMembers(ctx context.Context, params *model.Invit
redirectURL := appURL
if params.RedirectURI != nil {
redirectURL = *params.RedirectURI
- if !validators.IsValidOrigin(redirectURL, g.Config.AllowedOrigins) {
+ if !validators.IsValidRedirectURI(redirectURL, g.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI")
return nil, fmt.Errorf("invalid redirect URI")
}
diff --git a/internal/graphql/magic_link_login.go b/internal/graphql/magic_link_login.go
index 1c431f0b..5a8d2622 100644
--- a/internal/graphql/magic_link_login.go
+++ b/internal/graphql/magic_link_login.go
@@ -150,7 +150,7 @@ func (g *graphqlProvider) MagicLinkLogin(ctx context.Context, params *model.Magi
redirectURL := parsers.GetAppURL(gc)
if params.RedirectURI != nil {
redirectURL = *params.RedirectURI
- if !validators.IsValidOrigin(redirectURL, g.Config.AllowedOrigins) {
+ if !validators.IsValidRedirectURI(redirectURL, g.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI")
return nil, fmt.Errorf("invalid redirect URI")
}
diff --git a/internal/graphql/signup.go b/internal/graphql/signup.go
index 0f15f92f..c1d8d165 100644
--- a/internal/graphql/signup.go
+++ b/internal/graphql/signup.go
@@ -211,7 +211,7 @@ func (g *graphqlProvider) SignUp(ctx context.Context, params *model.SignUpReques
redirectURL := parsers.GetAppURL(gc)
if params.RedirectURI != nil {
redirectURL = *params.RedirectURI
- if !validators.IsValidOrigin(redirectURL, g.Config.AllowedOrigins) {
+ if !validators.IsValidRedirectURI(redirectURL, g.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI")
return nil, fmt.Errorf("invalid redirect URI")
}
diff --git a/internal/http_handlers/app.go b/internal/http_handlers/app.go
index 4362e0fc..4c1bd793 100644
--- a/internal/http_handlers/app.go
+++ b/internal/http_handlers/app.go
@@ -43,7 +43,7 @@ func (h *httpProvider) AppHandler() gin.HandlerFunc {
redirectURI = hostname + "/app"
} else {
// validate redirect url with allowed origins
- if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {
+ if !validators.IsValidRedirectURI(redirectURI, h.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect url")
c.JSON(400, gin.H{"error": "invalid redirect url"})
return
diff --git a/internal/http_handlers/authorize.go b/internal/http_handlers/authorize.go
index 20342be8..45decc7c 100644
--- a/internal/http_handlers/authorize.go
+++ b/internal/http_handlers/authorize.go
@@ -44,6 +44,7 @@ import (
"github.com/authorizerdev/authorizer/internal/cookie"
"github.com/authorizerdev/authorizer/internal/parsers"
"github.com/authorizerdev/authorizer/internal/token"
+ "github.com/authorizerdev/authorizer/internal/validators"
)
// Check the flow for generating and verifying codes: https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#:~:text=PKCE%20works%20by%20having%20the,is%20called%20the%20Code%20Challenge.
@@ -90,6 +91,16 @@ func (h *httpProvider) AuthorizeHandler() gin.HandlerFunc {
if redirectURI == "" {
redirectURI = "/app"
+ } else {
+ hostname := parsers.GetHost(gc)
+ if !validators.IsValidRedirectURI(redirectURI, h.Config.AllowedOrigins, hostname) {
+ log.Debug().Msg("Invalid redirect URI")
+ gc.JSON(http.StatusBadRequest, gin.H{
+ "error": "invalid_request",
+ "error_description": "invalid redirect_uri",
+ })
+ return
+ }
}
if responseType == "" {
diff --git a/internal/http_handlers/logout.go b/internal/http_handlers/logout.go
index 4df663ad..d2c3df1c 100644
--- a/internal/http_handlers/logout.go
+++ b/internal/http_handlers/logout.go
@@ -11,8 +11,10 @@ import (
"github.com/authorizerdev/authorizer/internal/constants"
"github.com/authorizerdev/authorizer/internal/cookie"
"github.com/authorizerdev/authorizer/internal/crypto"
+ "github.com/authorizerdev/authorizer/internal/parsers"
"github.com/authorizerdev/authorizer/internal/token"
"github.com/authorizerdev/authorizer/internal/utils"
+ "github.com/authorizerdev/authorizer/internal/validators"
)
// Handler to logout user
@@ -69,6 +71,14 @@ func (h *httpProvider) LogoutHandler() gin.HandlerFunc {
})
if redirectURL != "" {
+ hostname := parsers.GetHost(gc)
+ if !validators.IsValidRedirectURI(redirectURL, h.Config.AllowedOrigins, hostname) {
+ log.Debug().Msg("Invalid redirect URI")
+ gc.JSON(http.StatusBadRequest, gin.H{
+ "error": "invalid redirect uri",
+ })
+ return
+ }
gc.Redirect(http.StatusFound, redirectURL)
} else {
gc.JSON(http.StatusOK, gin.H{
diff --git a/internal/http_handlers/oauth_login.go b/internal/http_handlers/oauth_login.go
index 2d772e09..487573d9 100644
--- a/internal/http_handlers/oauth_login.go
+++ b/internal/http_handlers/oauth_login.go
@@ -7,6 +7,7 @@ import (
"github.com/gin-gonic/gin"
"github.com/google/uuid"
+ "github.com/authorizerdev/authorizer/internal/parsers"
"github.com/authorizerdev/authorizer/internal/validators"
)
@@ -31,7 +32,8 @@ func (h *httpProvider) OAuthLoginHandler() gin.HandlerFunc {
return
}
- if !validators.IsValidOrigin(redirectURI, h.Config.AllowedOrigins) {
+ hostname := parsers.GetHost(c)
+ if !validators.IsValidRedirectURI(redirectURI, h.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI")
c.JSON(400, gin.H{
"error": "invalid redirect uri",
diff --git a/internal/http_handlers/verify_email.go b/internal/http_handlers/verify_email.go
index 6811ce41..6e4cdd39 100644
--- a/internal/http_handlers/verify_email.go
+++ b/internal/http_handlers/verify_email.go
@@ -24,8 +24,9 @@ import (
func (h *httpProvider) VerifyEmailHandler() gin.HandlerFunc {
log := h.Log.With().Str("func", "VerifyEmailHandler").Logger()
return func(c *gin.Context) {
+ hostname := parsers.GetHost(c)
redirectURL := strings.TrimSpace(c.Query("redirect_uri"))
- if redirectURL != "" && !validators.IsValidOrigin(redirectURL, h.Config.AllowedOrigins) {
+ if redirectURL != "" && !validators.IsValidRedirectURI(redirectURL, h.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI")
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid redirect uri"})
return
@@ -49,7 +50,6 @@ func (h *httpProvider) VerifyEmailHandler() gin.HandlerFunc {
}
// verify if token exists in db
- hostname := parsers.GetHost(c)
claim, err := h.TokenProvider.ParseJWTToken(tokenInQuery)
if err != nil {
log.Debug().Err(err).Msg("Error parsing jwt token")
@@ -199,7 +199,7 @@ func (h *httpProvider) VerifyEmailHandler() gin.HandlerFunc {
if redirectURL == "" {
redirectURL = claim["redirect_uri"].(string)
}
- if !validators.IsValidOrigin(redirectURL, h.Config.AllowedOrigins) {
+ if !validators.IsValidRedirectURI(redirectURL, h.Config.AllowedOrigins, hostname) {
log.Debug().Msg("Invalid redirect URI in token claim")
c.JSON(http.StatusBadRequest, gin.H{"error": "invalid redirect uri"})
return
diff --git a/internal/integration_tests/redirect_uri_validation_test.go b/internal/integration_tests/redirect_uri_validation_test.go
index fc1153c0..3dfc830c 100644
--- a/internal/integration_tests/redirect_uri_validation_test.go
+++ b/internal/integration_tests/redirect_uri_validation_test.go
@@ -1,65 +1,30 @@
package integration_tests
import (
- "fmt"
"testing"
"github.com/google/uuid"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
- "github.com/authorizerdev/authorizer/internal/constants"
- "github.com/authorizerdev/authorizer/internal/crypto"
+ "github.com/authorizerdev/authorizer/internal/config"
"github.com/authorizerdev/authorizer/internal/graph/model"
"github.com/authorizerdev/authorizer/internal/refs"
)
-// TestRedirectURIValidation verifies that all endpoints accepting redirect_uri
-// validate it against AllowedOrigins to prevent open-redirect token theft.
-func TestRedirectURIValidation(t *testing.T) {
- cfg := getTestConfig()
- cfg.AllowedOrigins = []string{"http://localhost:3000"}
- cfg.EnableMagicLinkLogin = true
- cfg.EnableEmailVerification = true
- cfg.IsEmailServiceEnabled = true
- cfg.IsSMSServiceEnabled = true
- cfg.SMTPHost = "localhost"
- cfg.SMTPPort = 1025
- cfg.SMTPSenderEmail = "test@authorizer.dev"
- cfg.SMTPSenderName = "Test"
- cfg.SMTPLocalName = "Test"
- cfg.SMTPSkipTLSVerification = true
-
- ts := initTestSetup(t, cfg)
- _, ctx := createContext(ts)
-
- attackerURL := "https://attacker.com/steal"
- validURL := "http://localhost:3000/callback"
-
- t.Run("ForgotPassword should reject invalid redirect_uri", func(t *testing.T) {
- // First create a user
- email := "fp_redirect_test_" + uuid.New().String() + "@authorizer.dev"
- password := "Password@123"
- signupRes, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
- Email: &email,
- Password: password,
- ConfirmPassword: password,
- })
- require.NoError(t, err)
- require.NotNil(t, signupRes)
+// TestRedirectURIRejectsAttacker verifies that forgot_password rejects
+// attacker-controlled redirect_uri values with explicit AllowedOrigins.
+func TestRedirectURIRejectsAttacker(t *testing.T) {
+ runForEachDB(t, func(t *testing.T, cfg *config.Config) {
+ cfg.AllowedOrigins = []string{"http://localhost:3000"}
+ cfg.EnableBasicAuthentication = true
+ cfg.EnableEmailVerification = false
+ cfg.EnableSignup = true
- // Attacker-controlled redirect_uri should be rejected
- res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
- Email: refs.NewStringRef(email),
- RedirectURI: refs.NewStringRef(attackerURL),
- })
- assert.Error(t, err)
- assert.Nil(t, res)
- assert.Contains(t, err.Error(), "invalid redirect URI")
- })
+ ts := initTestSetup(t, cfg)
+ _, ctx := createContext(ts)
- t.Run("ForgotPassword should accept valid redirect_uri", func(t *testing.T) {
- email := "fp_valid_redirect_" + uuid.New().String() + "@authorizer.dev"
+ email := "redirect_test_" + uuid.New().String() + "@authorizer.dev"
password := "Password@123"
signupRes, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
Email: &email,
@@ -69,98 +34,96 @@ func TestRedirectURIValidation(t *testing.T) {
require.NoError(t, err)
require.NotNil(t, signupRes)
- res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
- Email: refs.NewStringRef(email),
- RedirectURI: refs.NewStringRef(validURL),
+ t.Run("rejects attacker redirect_uri", func(t *testing.T) {
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ RedirectURI: refs.NewStringRef("https://attacker.com/steal"),
+ })
+ assert.Error(t, err)
+ assert.Nil(t, res)
+ assert.Contains(t, err.Error(), "invalid redirect URI")
})
- assert.NoError(t, err)
- assert.NotNil(t, res)
- })
- t.Run("MagicLinkLogin should reject invalid redirect_uri", func(t *testing.T) {
- email := "ml_redirect_test_" + uuid.New().String() + "@authorizer.dev"
- res, err := ts.GraphQLProvider.MagicLinkLogin(ctx, &model.MagicLinkLoginRequest{
- Email: email,
- RedirectURI: &attackerURL,
+ t.Run("accepts valid redirect_uri", func(t *testing.T) {
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ RedirectURI: refs.NewStringRef("http://localhost:3000/reset"),
+ })
+ assert.NoError(t, err)
+ assert.NotNil(t, res)
})
- assert.Error(t, err)
- assert.Nil(t, res)
- assert.Contains(t, err.Error(), "invalid redirect URI")
})
+}
- t.Run("MagicLinkLogin should accept valid redirect_uri", func(t *testing.T) {
- email := "ml_valid_redirect_" + uuid.New().String() + "@authorizer.dev"
- res, err := ts.GraphQLProvider.MagicLinkLogin(ctx, &model.MagicLinkLoginRequest{
- Email: email,
- RedirectURI: &validURL,
- })
- assert.NoError(t, err)
- assert.NotNil(t, res)
- })
+// TestRedirectURIWildcardOrigins is a regression test for the open redirect
+// vulnerability (issue #540). When allowed_origins=["*"] (the default config),
+// attacker-controlled redirect_uri values must still be rejected.
+func TestRedirectURIWildcardOrigins(t *testing.T) {
+ runForEachDB(t, func(t *testing.T, cfg *config.Config) {
+ cfg.AllowedOrigins = []string{"*"}
+ cfg.EnableBasicAuthentication = true
+ cfg.EnableEmailVerification = false
+ cfg.EnableSignup = true
+ ts := initTestSetup(t, cfg)
+ _, ctx := createContext(ts)
- t.Run("Signup should reject invalid redirect_uri", func(t *testing.T) {
- email := "signup_redirect_test_" + uuid.New().String() + "@authorizer.dev"
+ email := "wildcard_redirect_" + uuid.New().String() + "@authorizer.dev"
password := "Password@123"
- res, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
- Email: &email,
- Password: password,
- ConfirmPassword: password,
- RedirectURI: &attackerURL,
- })
- assert.Error(t, err)
- assert.Nil(t, res)
- assert.Contains(t, err.Error(), "invalid redirect URI")
- })
- t.Run("Signup should accept valid redirect_uri", func(t *testing.T) {
- email := "signup_valid_redirect_" + uuid.New().String() + "@authorizer.dev"
- password := "Password@123"
- res, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
+ signupRes, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
Email: &email,
Password: password,
ConfirmPassword: password,
- RedirectURI: &validURL,
})
- assert.NoError(t, err)
- assert.NotNil(t, res)
- })
-
- t.Run("InviteMembers should reject invalid redirect_uri", func(t *testing.T) {
- cfg.IsEmailServiceEnabled = true
- cfg.EnableBasicAuthentication = true
- cfg.EnableMagicLinkLogin = true
-
- req, _ := createContext(ts)
- h, err := crypto.EncryptPassword(cfg.AdminSecret)
require.NoError(t, err)
- req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, h))
+ require.NotNil(t, signupRes)
- emailTo := "invite_redirect_test_" + uuid.New().String() + "@authorizer.dev"
- res, err := ts.GraphQLProvider.InviteMembers(ctx, &model.InviteMemberRequest{
- Emails: []string{emailTo},
- RedirectURI: &attackerURL,
+ t.Run("rejects attacker redirect_uri with wildcard origins", func(t *testing.T) {
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ RedirectURI: refs.NewStringRef("https://attacker.com/capture"),
+ })
+ assert.Error(t, err)
+ assert.Nil(t, res)
+ assert.Contains(t, err.Error(), "invalid redirect URI")
})
- assert.Error(t, err)
- assert.Nil(t, res)
- assert.Contains(t, err.Error(), "invalid redirect URI")
- })
- t.Run("InviteMembers should accept valid redirect_uri", func(t *testing.T) {
- cfg.IsEmailServiceEnabled = true
- cfg.EnableBasicAuthentication = true
- cfg.EnableMagicLinkLogin = true
+ t.Run("allows self-origin redirect_uri with wildcard origins", func(t *testing.T) {
+ selfURI := "http://" + ts.HttpServer.Listener.Addr().String() + "/app/reset-password"
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ RedirectURI: refs.NewStringRef(selfURI),
+ })
+ assert.NoError(t, err)
+ assert.NotNil(t, res)
+ assert.NotEmpty(t, res.Message)
+ })
- req, _ := createContext(ts)
- h, err := crypto.EncryptPassword(cfg.AdminSecret)
- require.NoError(t, err)
- req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, h))
+ t.Run("works without redirect_uri (uses default)", func(t *testing.T) {
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ })
+ assert.NoError(t, err)
+ assert.NotNil(t, res)
+ assert.NotEmpty(t, res.Message)
+ })
+
+ t.Run("rejects javascript scheme", func(t *testing.T) {
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ RedirectURI: refs.NewStringRef("javascript:alert(1)"),
+ })
+ assert.Error(t, err)
+ assert.Nil(t, res)
+ })
- emailTo := "invite_valid_redirect_" + uuid.New().String() + "@authorizer.dev"
- res, err := ts.GraphQLProvider.InviteMembers(ctx, &model.InviteMemberRequest{
- Emails: []string{emailTo},
- RedirectURI: &validURL,
+ t.Run("rejects data scheme", func(t *testing.T) {
+ res, err := ts.GraphQLProvider.ForgotPassword(ctx, &model.ForgotPasswordRequest{
+ Email: refs.NewStringRef(email),
+ RedirectURI: refs.NewStringRef("data:text/html,evil
"),
+ })
+ assert.Error(t, err)
+ assert.Nil(t, res)
})
- assert.NoError(t, err)
- assert.NotNil(t, res)
})
}
diff --git a/internal/validators/url.go b/internal/validators/url.go
index 3370db52..d7d2ac62 100644
--- a/internal/validators/url.go
+++ b/internal/validators/url.go
@@ -26,6 +26,58 @@ func normalizeOrigin(raw string) string {
return host + ":" + port
}
+// IsValidRedirectURI validates a redirect URI for security-critical flows (password reset,
+// magic link, OAuth, etc.). Unlike IsValidOrigin (used for CORS), this function never
+// accepts "*" as a blanket pass. When allowed_origins contains only "*" (the default),
+// it restricts redirects to the server's own hostname. When explicit origins are
+// configured, it validates against those using the same matching logic as IsValidOrigin.
+func IsValidRedirectURI(redirectURI string, allowedOrigins []string, hostname string) bool {
+ u, err := url.Parse(redirectURI)
+ if err != nil {
+ return false
+ }
+ // Only allow http and https schemes to prevent javascript:, data:, ftp:, etc.
+ if u.Scheme != "http" && u.Scheme != "https" {
+ return false
+ }
+
+ origins := allowedOrigins
+ if len(origins) == 0 {
+ origins = []string{"*"}
+ }
+
+ redirectOrigin := normalizeOrigin(redirectURI)
+
+ // When allowed_origins is wildcard, only allow redirects to the server's own hostname
+ if len(origins) == 1 && origins[0] == "*" {
+ return redirectOrigin == normalizeOrigin(hostname)
+ }
+
+ // Validate against explicit allowed origins (same logic as IsValidOrigin)
+ for _, origin := range origins {
+ pattern := normalizeOrigin(origin)
+
+ if strings.Contains(origin, "*") {
+ pattern = strings.ReplaceAll(pattern, ".", "\\.")
+ pattern = strings.ReplaceAll(pattern, "*", ".*")
+
+ if strings.HasPrefix(pattern, ".*") {
+ pattern += "\\b"
+ }
+
+ if strings.HasSuffix(pattern, ".*") {
+ pattern = "\\b" + pattern
+ }
+ }
+
+ if matched, _ := regexp.MatchString("^"+pattern+"$", redirectOrigin); matched {
+ return true
+ }
+ }
+
+ return false
+}
+
// IsValidOrigin validates origin based on ALLOWED_ORIGINS
func IsValidOrigin(inputURL string, allowedOriginsConfig []string) bool {
allowedOrigins := allowedOriginsConfig
diff --git a/internal/validators/url_test.go b/internal/validators/url_test.go
index c3c313a3..39384754 100644
--- a/internal/validators/url_test.go
+++ b/internal/validators/url_test.go
@@ -193,3 +193,111 @@ func TestIsValidOrigin(t *testing.T) {
assert.False(t, IsValidOrigin("https://evil.com", allowed))
})
}
+
+func TestIsValidRedirectURI(t *testing.T) {
+ hostname := "https://myserver.com"
+
+ t.Run("wildcard config allows self-origin redirect", func(t *testing.T) {
+ assert.True(t, IsValidRedirectURI("https://myserver.com/app/reset-password", []string{"*"}, hostname))
+ assert.True(t, IsValidRedirectURI("https://myserver.com/callback", []string{"*"}, hostname))
+ assert.True(t, IsValidRedirectURI("https://myserver.com", []string{"*"}, hostname))
+ })
+
+ t.Run("wildcard config rejects attacker URL", func(t *testing.T) {
+ assert.False(t, IsValidRedirectURI("https://attacker.com/capture", []string{"*"}, hostname))
+ assert.False(t, IsValidRedirectURI("https://evil.com/steal", []string{"*"}, hostname))
+ assert.False(t, IsValidRedirectURI("https://myserver.com.attacker.com/cb", []string{"*"}, hostname))
+ })
+
+ t.Run("wildcard config rejects subdomain mismatch", func(t *testing.T) {
+ assert.False(t, IsValidRedirectURI("https://sub.myserver.com/cb", []string{"*"}, hostname))
+ })
+
+ t.Run("empty config defaults to wildcard behavior", func(t *testing.T) {
+ assert.True(t, IsValidRedirectURI("https://myserver.com/cb", []string{}, hostname))
+ assert.True(t, IsValidRedirectURI("https://myserver.com/cb", nil, hostname))
+ assert.False(t, IsValidRedirectURI("https://attacker.com", []string{}, hostname))
+ assert.False(t, IsValidRedirectURI("https://attacker.com", nil, hostname))
+ })
+
+ t.Run("explicit origins valid redirect", func(t *testing.T) {
+ allowed := []string{"https://app.example.com"}
+ assert.True(t, IsValidRedirectURI("https://app.example.com/callback", allowed, hostname))
+ assert.True(t, IsValidRedirectURI("https://app.example.com", allowed, hostname))
+ })
+
+ t.Run("explicit origins invalid redirect", func(t *testing.T) {
+ allowed := []string{"https://app.example.com"}
+ assert.False(t, IsValidRedirectURI("https://attacker.com", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://app.example.com.evil.com", allowed, hostname))
+ })
+
+ t.Run("wildcard subdomain origins", func(t *testing.T) {
+ allowed := []string{"*.example.com"}
+ // Valid subdomains
+ assert.True(t, IsValidRedirectURI("https://api.example.com/cb", allowed, hostname))
+ assert.True(t, IsValidRedirectURI("https://auth.example.com/login", allowed, hostname))
+ assert.True(t, IsValidRedirectURI("https://app.staging.example.com/cb", allowed, hostname))
+ // Root domain not matched by wildcard subdomain
+ assert.False(t, IsValidRedirectURI("https://example.com", allowed, hostname))
+ // Attacker domains
+ assert.False(t, IsValidRedirectURI("https://evil.com", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://exampleXcom.evil.com", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://example.com.attacker.com", allowed, hostname))
+ })
+
+ t.Run("wildcard subdomain with port", func(t *testing.T) {
+ allowed := []string{"*.example.com:8080"}
+ assert.True(t, IsValidRedirectURI("https://api.example.com:8080/cb", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://api.example.com/cb", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://api.example.com:9090/cb", allowed, hostname))
+ })
+
+ t.Run("multiple origins with wildcard subdomain", func(t *testing.T) {
+ allowed := []string{"*.myapp.com", "http://localhost:3000"}
+ assert.True(t, IsValidRedirectURI("https://auth.myapp.com/cb", allowed, hostname))
+ assert.True(t, IsValidRedirectURI("https://api.myapp.com/cb", allowed, hostname))
+ assert.True(t, IsValidRedirectURI("http://localhost:3000/cb", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://attacker.com", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://myapp.com", allowed, hostname))
+ })
+
+ t.Run("javascript scheme rejected", func(t *testing.T) {
+ assert.False(t, IsValidRedirectURI("javascript:alert(1)", []string{"*"}, hostname))
+ })
+
+ t.Run("data scheme rejected", func(t *testing.T) {
+ assert.False(t, IsValidRedirectURI("data:text/html,evil
", []string{"*"}, hostname))
+ })
+
+ t.Run("ftp scheme rejected", func(t *testing.T) {
+ assert.False(t, IsValidRedirectURI("ftp://evil.com/file", []string{"*"}, hostname))
+ })
+
+ t.Run("empty string rejected", func(t *testing.T) {
+ assert.False(t, IsValidRedirectURI("", []string{"*"}, hostname))
+ })
+
+ t.Run("port matching with localhost", func(t *testing.T) {
+ localhostHost := "http://localhost:3000"
+ assert.True(t, IsValidRedirectURI("http://localhost:3000/cb", []string{"*"}, localhostHost))
+ assert.False(t, IsValidRedirectURI("http://localhost:4000/cb", []string{"*"}, localhostHost))
+ assert.False(t, IsValidRedirectURI("http://localhost/cb", []string{"*"}, localhostHost))
+ })
+
+ t.Run("standard port normalization", func(t *testing.T) {
+ assert.True(t, IsValidRedirectURI("https://myserver.com:443/cb", []string{"*"}, hostname))
+ })
+
+ t.Run("path is ignored in origin matching", func(t *testing.T) {
+ assert.True(t, IsValidRedirectURI("https://myserver.com/any/path/here", []string{"*"}, hostname))
+ assert.True(t, IsValidRedirectURI("https://myserver.com/app/reset-password?foo=bar", []string{"*"}, hostname))
+ })
+
+ t.Run("multiple allowed origins", func(t *testing.T) {
+ allowed := []string{"https://app.example.com", "http://localhost:3000"}
+ assert.True(t, IsValidRedirectURI("https://app.example.com/cb", allowed, hostname))
+ assert.True(t, IsValidRedirectURI("http://localhost:3000/cb", allowed, hostname))
+ assert.False(t, IsValidRedirectURI("https://attacker.com", allowed, hostname))
+ })
+}